Skip to content

chore: harden global-deny hook (#63) #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amavashev merged 1 commit into from
May 12, 2026
Merged

chore: harden global-deny hook (#63) #95

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 25 additions & 11 deletions .claude/session-start-global-deny.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,18 @@ set -e

GLOBAL_SETTINGS="$HOME/.claude/settings.json"

if ! [ -f "$GLOBAL_SETTINGS" ] || ! grep -q "mcp__github__push_files" "$GLOBAL_SETTINGS" 2>/dev/null; then
mkdir -p "$HOME/.claude"
# The previous version of this block only ran the merge when push_files was
# missing, which silently left the policy incomplete if push_files happened to
# exist while one of the other two rules had been removed. The python3 merge
# is idempotent (skips rules already present), so we now always run it on
# session start to guarantee all three deny rules are in place.
# Tracked org-wide at runcycles/.github#63.
mkdir -p "$HOME/.claude"

if [ -f "$GLOBAL_SETTINGS" ]; then
TMP_SETTINGS=$(mktemp)
if command -v python3 &>/dev/null; then
python3 -c "
if [ -f "$GLOBAL_SETTINGS" ]; then
TMP_SETTINGS=$(mktemp)
if command -v python3 &>/dev/null; then
python3 -c "
import json
with open('$GLOBAL_SETTINGS') as f:
settings = json.load(f)
Expand All @@ -37,11 +42,11 @@ with open('$TMP_SETTINGS', 'w') as f:
json.dump(settings, f, indent=2)
f.write('\n')
" && mv "$TMP_SETTINGS" "$GLOBAL_SETTINGS"
else
rm -f "$TMP_SETTINGS"
fi
else
cat > "$GLOBAL_SETTINGS" << 'EOF'
rm -f "$TMP_SETTINGS"
fi
else
cat > "$GLOBAL_SETTINGS" << 'EOF'
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"permissions": {
Expand All @@ -53,10 +58,19 @@ with open('$TMP_SETTINGS', 'w') as f:
}
}
EOF
fi
fi

# --- Part 2: Fix git remote URLs to use local proxy ---
# NOTE: This block intentionally rewrites the `origin` remote on EVERY sibling
# repo under /home/user/* with a github.com remote, not just this one. Claude
# Code remote sessions clone multiple repos and all need the local git proxy.
# To opt out (e.g., when running outside that environment, or when you want
# unrelated checkouts left alone), set CYCLES_CLAUDE_SKIP_REMOTE_REWRITE=1.
# Tracked org-wide at runcycles/.github#63.
if [ -n "$CYCLES_CLAUDE_SKIP_REMOTE_REWRITE" ]; then
exit 0
fi

# Some sessions clone repos via github.com directly, which lacks push credentials.
# If the local git proxy is running, rewrite remote URLs to use it.

Expand Down